Shadow IT: what it is, its risks, and how to address it

Shadow IT

Gartner predicts that organizations’ IT teams will increase their level of software spend by nearly 12% in 2023.

This underscores employees’ growing appetite for software (namely SaaS applications) and the risks of failing to satisfy this want. More specifically, if IT can’t provide employees access to the applications they need within a short time frame, employees may take it upon themselves to buy these applications. 

While this might seem like a suitable solution, as employees can access the tools they need quickly and easily, it introduces a number of business risks.

We’ll cover these risks in detail as well as a solution for addressing them. But first, let’s explain the phenomenon associated with this behavior: shadow IT.

What is shadow IT?

It’s when an employee uses a software application or device that isn’t owned and centrally managed by IT. Since IT typically isn’t made aware of these applications and devices, they can’t respond accordingly.

Given its broad definition, shadow IT can take various forms. Common examples include:

  • Working on a personal laptop (assuming your organization doesn’t have a bring-your-own-device, or BYOD, policy)
  • Using a 3rd-party SaaS application that IT hasn’t approved
  • Emailing employees, clients, or prospects from a personal email address

Related: What are citizen integrators?

What are the risks of shadow IT?

Here are just a few of the issues associated with shadow IT.

Security risks

Employees almost certainly don’t take the same precautions in protecting their personal devices as they do with work-issued equipment. As a result, working from the former can lead to a wide range of problematic scenarios:

  • An employee may not have set up a login for accessing their personal computer. This leaves your data and applications vulnerable in the event that the laptop gets stolen.
  • Assuming the device doesn’t have the proper anti-malware software installed and/or uses an outdated operating system, it’s largely unprotected from cybersecurity attacks.  
  • An employee may forget to download and use a VPN on their personal device. This leaves them exposed to unsecure networks when working in a coffee shop, airport, or any other public space.

Compliance risks

To build trust and credibility with prospects and clients, your organization will need to be compliant with widely-recognized regulations, like GDPR, and regularly pass security audits, like SOC-2 Type II.

While shadow IT doesn’t necessarily cause compliance issues or lead you to fail a security audit, your organization is left significantly more vulnerable.

Unnecessary spending

In some cases, an application purchased via shadow IT overlaps with an existing point solution(s). The purchaser was simply unaware, either out of negligence or because they lack a holistic view of their organization’s tech stack. In either event, the purchase was a redundant expense that could have been avoided, had IT been involved.

Suboptimal applications

Your team of IT professionals has likely created a comprehensive procurement process that aims to ensure that whatever tool gets purchased adheres to high security standards and is best-in-class. 

For instance, when evaluating a given tool, the requestor might have to provide information on the tool itself, the information it’d store, the certifications it’s earned, the individuals who’d use it, the use cases it’d support, and much more. The requestor might even be asked to identify alternatives and to compare all the options in terms of price, ease of use, etc.

Through shadow IT, employees are able to skip this evaluation, leading them to neglect better tools as well as ignore security gaps that can come back to hurt your organization.

Related: Why you should use a service desk chatbot (and how you can use it)

Data loss

Since IT doesn’t establish a backup strategy for shadow IT applications, they’re susceptible to permanent data loss. In other words, events like data breaches could effect your organization even more, as a disaster recovery plan isn’t established for these apps.

Compromised integrations

When a shadow IT application is integrated with your other applications, they too become vulnerable. For example, the shadow IT application can access and store sensitive data from the other applications it’s connected to—providing a potential attacker with an access point to that data.

Data integrity 

Without clean and accurate data, your organization will fail to make timely and appropriate decisions. Your reps may reach out to prospects who aren’t ready to buy, while ignoring those who are; your customers may receive emails that are meant for prospects; your HR team may offer benefits to the wrong set of employees—and much, much more.

Shadow IT can create these situations, as IT can’t oversee the access levels of these applications or uncover (and address) suspicious behaviors when any occurs.

What are the benefits of shadow IT?

Despite all of its issues, shadow IT isn’t all bad. Here are a few of the reasons why shadow IT can help your team:

  • It can improve employee productivity. Since employees don’t wait for IT to approve their request for a given application, they can adopt it and leverage its functionality in their day-to-day work quickly. Moreover, they can select whatever applications they want, leading them to pick those that allow them to perform their work most effectively. 
  • It can strengthen your relationship with employees. Providing employees more influence over the applications and devices they use communicates, albeit implicitly, that you trust and value their judgment. This should go a long way in improving employee engagement—which, as ample research suggests, can boost employee performance.
  • It can free up IT. By allowing IT to avoid reviewing application and device requests manually, they can focus on other business-critical work. This can be anything from implementing integrations and automations to troubleshooting and resolving incidents (although, ironically, shadow IT can cause many incidents).
  • It can reveal opportunities for process improvement. Assuming your IT team discovers the applications and devices that fall out of their control, they’ll likely spot patterns in terms of the departments, regions, and, even, the specific end users who perform shadow IT. They can then work with these stakeholders to better understand why they performed shadow IT and how they can improve their provisioning processes on behalf of these teams.
  • It can elevate your organization’s performance. Similar to our first benefit, when employees use the applications they prefer and are comfortable with, they’re more likely to make decisions and take actions that benefit your organization. This can take a number of forms: a sales leader can iterate on their team’s sales process based on the tool they acquire; the product team can begin to collect in-product feedback and use those insights to revise their roadmap; an SEO expert can conduct more in-depth analysis and identify more impactful keyword opportunities, etc.

How to prevent shadow IT

You might be asking yourself: “How can I reap the benefits of shadow IT while avoiding its drawbacks?”

We’ve addressed this first-hand through the use of a platform bot we call “Firefighter.”

Through Firefighter, employees can identify the applications we currently have and request access to any; they can also use the chatbot to file a ticket for procuring a specific application or device. Once these requests take place, Firefighter notifies the appropriate approvers, allows them to review the requests, and enables them to approve or reject any with the click of a button. 

Perhaps the best part about Firefighter: It allows our employees to make these requests and approvals all within our business communications platform—which happens to be Slack.

Let’s take a closer look at how it can work when one of our employees wants to access a specific application:

1. The employee navigates to Firefighter in Slack and sees a homepage with a variety of options. The employee goes on to select “Request for Apps.”

A screenshot of Firefighter's homepage

2. A modal (or pop-up) presents the employee with a few options; this includes selecting the beneficiary (where they’d list themself), the provision date, the app, and the reason behind their request.

A screenshot of the popup Firefighter displays when an employee is requesting access to an application (either for themself or someone else)

3. Once submitted, the employee’s manager would receive a message from Firefighter. The message would present all of the details around the request, and it would allow them to approve or reject it with the click of a button.

4. Once approved, IT would get notified via a specific channel, and the provisioning would get carried out automatically via OneLogin.

5. The requestor receives a notification from Firefighter, informing them that their request has been approved and that they’ve been provisioned successfully.

Workato logo

Implement your own version of Firefighter with Workato

Workato, the leader in enterprise automation, offers Workbot, a customizable platform bot that lets you bring automations to Slack, Microsoft Teams, or Workplace from Meta.

Schedule a demo

About the author
Jon Gitlin Content Strategist @ Workato
Jon Gitlin is the Managing Editor of The Connector, where you can get the latest news on Workato and uncover tips, examples, and frameworks for implementing powerful integrations and automations. In his free time, he loves to run outside, watch soccer ( matches, and explore local restaurants.